1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Slides:

Advertisements

Similar presentations

Overcoming an UNTRUSTED COMPUTING BASE: Detecting and Removing Malicious Hardware Automatically Matthew Hicks Murph Finnicum Samuel T. King University.

Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.

RAKSHA A Flexible Information Flow Architecture for Software Security Michael Dalton Hari Kannan Christos Kozyrakis Computer Systems Laboratory Stanford.

1 UCR Reference Monitors/Information Flow Tracking Slide credits: Raksha presentation based on that original authors?

Dynamic Program Security Aaron Roth Ali Sinop Gunhee Kim Hyeontaek Lim.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.

RAKSHA A Flexible Information Flow Architecture for Software Security Michael Dalton Hari Kannan Christos Kozyrakis Computer Systems Laboratory Stanford.

Protection and the Kernel: Mode, Space, and Context.

Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.

G53SEC 1 Reference Monitors Enforcement of Access Control.

Secure Operating Systems Lesson B: Let’s go break something.

Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Kinshuk Govil, Dan Teodosiu*, Yongqiang Huang, and Mendel Rosenblum

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

1 RAMP Jan’08 Raksha & Atlas: Prototyping & Emulation at Stanford Christos Kozyrakis work done by S. Wee, N. Njoroge, M. Dalton, H. Kannan Computer Systems.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.

1 CSE 451 Section 2: Interrupts, Syscalls, Virtual Machines, and Project 1.

CE Operating Systems Lecture 3 Overview of OS functions and structure.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

G53SEC 1 Reference Monitors Enforcement of Access Control.

Zeldovich et al. (both papers) Reading Group by Theo.

Accelerating Dynamic Software Analyses Joseph L. Greathouse Ph.D. Candidate Advanced Computer Architecture Laboratory University of Michigan December 1,

Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.

M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto Demand Paging.

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified.

Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

A Survey on Runtime Smashed Stack Detection 坂井研究室 M 豊島隆志.

The Potential of Sampling for Dynamic Analysis Joseph L. GreathouseTodd Austin Advanced Computer Architecture Laboratory University of Michigan PLAS, San.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.

G. Venkataramani, I. Doudalis, Y. Solihin, M. Prvulovic HPCA ’08 Reading Group Presentation 02/14/2008.

Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.

A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.

Introduction to Operating Systems Concepts

Translation Lookaside Buffer

Homework Reading Machine Projects Labs

Hardware-rooted Trust for Secure Key Management & Transient Trust

CMSC 611: Advanced Computer Architecture

Protection in Virtual Mode

Introduction to Operating Systems

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Reference Monitors/Information Flow Tracking

Theodore Lawson CSCE548 Student Presentation, Topic #2

Chapter 1: Introduction

nZDC: A compiler technique for near-Zero silent Data Corruption

Overview Introduction General Register Organization Stack Organization

Modularity and Memory Clearly, programs must have access to memory

Hardware Support for Embedded Operating System Security

Bruhadeshwar Meltdown Bruhadeshwar

Introduction to Operating Systems

Shielding applications from an untrusted cloud with Haven

CS5123 Software Validation and Quality Assurance

Presentation transcript:

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis August 2007

PRESENTATION OUTLINE  Motivation  Goals of a Security Technique  What is Dynamic Information Flow Tracking  Raksha Architecture  Security and Performance Evaluation  Summary  Questions 2

MOTIVATION  High-level semantic vulnerabilities are prevalent in web-based attacks  SQL injection – code inserted into entry field  Cross-Site Scripting (XSS)  Injected website sends malicious code to client  Real-World Examples:  Website database breach  The Wall Street Journal database in July 2014  Twitter worms 3 statement = "SELECT * FROM users WHERE name ='" + userName + "';" SELECT * FROM users WHERE name = ‘bob' OR '1'='1'; ‘bob’ OR '1'='1 userName: ERROR!

GOALS OF SECURITY TECHNIQUES Robust Flexible End-to- End Practical Fast 4 Few false positives or false negatives Adapt to cover evolving threats Cover all parts of the system Easy to implement Low overhead

WHAT IS DIFT? DIFT – Dynamic Information Flow Tracking  Associates a tag with every word of memory  Tag is used to mark tainted data from untrusted sources  Data produced from tainted data is also tainted  Check tag when data is used for potentially unsafe operations (ex. Code Execution)  Detects both low and high-level attacks 5 userName= X ‘bob’ X OR X ‘1’=‘1 TagData 'bob' OR '1'='1 userName: User input (untrusted) Tag Check SECURITY TRAP

RAKSHA ARCHITECTURE OVERVIEW  Hardware-supported DIFT  Tag checking in Pipeline  Key Features of Raksha:  4-bit Tags per Word  Programmable security policies  User-level Exception handling 6 User Program A User Program B OS Security Handler Hardware Tags & Checkers Tag Aware 32-bit Word Tag Memory Registers Cache lines One Tag per Policy

RAKSHA: TAG AND POLICY REGISTERS  4-bit tag for each word in registers, cache lines, and memory  Allow up to four different policies  Each policy (tag bit) comes with two configuration registers:  Tag Check Register (TCR) - Specify what checks to enable for different instructions  Tag Propagation Register (TPR) - Specify the rules for propagating the tags 7 load r2 ← M[r1+offset] Check Check source register r1 Check source address M[r1+offset] Propagation Only source register r1 Only source address M[r1+offset] OR / AND of source tags 32-bit Word Tag

RAKSHA: PIPELINE  Modified Leon SPARC V8 processor pipeline  4-bit tag in registers, caches and memory  Tag ALU propagates tags based on TPR  Tag-checker checks tags based on TCR and raises exception if needed 8 Execute Memory Exception Writeback Fetch DecodeAccess RakshaTags Raksha Logic

RAKSHA: SECURITY HANDLER  Runs at the same privilege level as applications in trusted mode  Handles security exception without going into OS kernel  Allows protection of OS code  Direct access to tag bits & tag instructions  Protected against malicious applications by sandboxing 9 App OS Security Handler Hardware trap Untrusted Trusted

EXAMPLE: SQL COMMAND INJECTION 10 MOV: Source propagation Policy #1: TPR EXEC: Instruction Check Policy #2: TCR ERROR X ‘bob’ X OR X ‘1’=‘1 Interpreter X X X SQL Code Executing SQL In HW Argument Safe? YES NO SECURITY HANDLER detected X X X SQL Functions Library X X String Tainting X Funct. Call Interposition Untagged

TEST SETUP  Hardware  Modified Leon SPARC V8 processor  Mapped to an FPGA board  Software  Modified Linux kernel  Applications (Apache, PostgreSQL, OpenSSH, …)  SPEC2000 benchmarks 11

SECURITY EVALUATION  Security test for low-level and high-level attacks  False positives and negatives? 12

PERFORMANCE EVALUATION  Performance slow down for Raksha vs OS exception handling  SPEC2000 integer benchmarks with memory corruption protection policy  Varying overheads due to different bounds checking techniques by the applications 13

CONCLUSION / SUMMARY  Raksha Features:  DIFT implementation with hardware support  Detects high-level and low-level attacks  Flexible security policies  Low performance overhead  Limitations  7.17% gate overhead, 12.5% memory overhead  Tagging not well defined for byte-level data  Inaccuracies in protection against memory corruption vulnerabilities 14

Questions? 15

DISCUSSION POINTS  Is the 4-bit tag enough or too much? How well will this scale for large systems?  Is Raksha (designed for unmodified binaries) suitable for protection against memory corruption vulnerabilities?  Is it safe for security handler to run at the user-level? PROCON 16

17